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IN THE CLAIMS 




Please amend the claims as follows. 



1. (Previously Presented) A method for using a binary state machine for 
processing a data stream in an intrusion detection system, the method comprising: 

maintaining a state table, the state table indexed such that inputs comprising a current 
state and a current character yield an output of a new state, the new state related to an 
indication of an attack on a computer network; 

maintaining the current state; 

receivin g, at a state machine of an intrusion detection device, an input stream destined 
for a first network device to be protected by the intrusion detection device, at a binary stat e 
machine prior to b e ing buffer e d at a first n e twork d e vic e, the input stream received at the 
state machine prior to reaching the first network device and comprising a plurality of 
characters, wherein the first network device is operable to execute a program transmitt e d by a 
second n e twork d e vic e; 

storing a copy of the input stream at a n e twork int e rfac e disposed b e tw e en th e first 
n e twork d e vic e and the s e cond n e twork devic e ; 

r e p e ating th e following for e ach charact e r of th e plurality of charact e rs; 

selecting a first character of the input stream as the current character; and 

comparing a curr e nt charact e r the current character and the current state to the state 
table to generate a new state ; and 

discarding the first charact e r b e for e s e l e cting a next charact e r of th e input 

str e am; and 

transmitting th e copy of th e input str e am to th e first n e twork devic e if an attack on th e 
computer network is not d e t e ct e d . 

2. (Original) The method of Claim 1, further comprising initializing the current 
state to an initial state. 
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3. (Original) The method of Claim 1, further comprising: 
setting the current state equal to the new state; 

selecting a next character as the current character, the next character appearing 
subsequent to the first character in the input stream; and 
repeating the comparing step. 

4. (Original) The method of Claim 1, further comprising recognizing the new 
state as indicative of an attack upon the computer network. 

5. (Original) The method of Claim 5, further comprising sounding an alarm. 

6. (Original) The method of Claim 1, further comprising generating the state 
table from a REGEX command. 
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7. (Currently Amended) A system for use as a binary state machine for 
processing a data stream in an intrusion detection system, the system comprising: 

a state table indexed such that inputs comprising a current state and a current 
character yield an output of a new state, the new state related to an attack on a computer 
network; and 

a state machine communicatively coupled to the state table, the state machine 

operable to: 

maintain the current state; 

receive an input stream destined for a first network device to be 
protected by the intrusion detection system, prior to b e ing buff e r e d at a first network d e vic e, 
the input stream received prior to reaching the first network device and comprising a plurality 
of characters , wherein the first network device is operable to execute a program transmitt e d 
by a s e cond n e twork d e vic e; 

r e p e at th e following for e ach charact e r of th e plurality of charact e rs; 

select a first character of the input stream as the current character; and 

compare a curr e nt character the current character and the current state 
to the state table to generate a new state ; and 

discard th e first charact e r befor e s e l e cting a n e xt character of 

the input stream; and 

a n e twork interfac e dispos e d b e tw ee n th e first n e twork d e vic e and the second 
network d e vic e and op e rabl e to: 

stor e a copy of th e input stream; and 

transmit th e copy of the input str e am to th e first n e twork d e vic e if an 
attack on th e computer n e twork is not det e ct e d . 

8. (Original) The system of Claim 7 further comprising a computer readable 
medium, wherein the state table is stored upon the computer readable medium. 

9. (Original) The system of Claim 8, wherein the state machine comprises 
software code stored upon the computer readable medium, the software code further operable 
to be executed by a computer processor. 
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i 10. (Original) The system of Claim 7, wherein the state machine is further 
operable to initialize the current state to an initial state. 

1 1 . (Currently Amended) The system of Claim 7, wherein the state machine is 
further operable to: 

s e tting set the current state equal to the new state; 

selecting select a next character as the current character, the next character 
appearing subsequent to the first character in the input stream; and 
rep e ating repeat the comparing step. 

12. (Original) The system of Claim 7, wherein the state machine is further 
operable to recognizing the new state as indicative of an attack upon the computer network. 
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13. (Currently Amended) A system for use as an intrusion detection system, the 
system comprising: 



device to be protected by the intrusion detection system, prior to b e ing buffer e d at a first 
network device, the network interface operable to receive the input stream before the input 
stream reaches the first network device, the input stream comprising a plurality of characters 
transmitted by a second network device , wherein the first network device is operable to 
execute a program ; 

a processor communicatively coupled to the computer readable medium and 
the network interface; 

a state table stored upon the computer readable medium, the state table 
indexed such that inputs comprising a current state and a current character yield an output of 
a new state, the new state related to an attack on a computer network; and 



medium and executable by the processor, the state machine communicatively coupled to the 
state table, the state machine operable to: 



to the state table to generate a new state ; and 

discard th e first character b e for e s e lecting a n e xt charact e r of th e input 
str e am, the n e twork int e rfac e furth e r op e rabl e to: 

store a copy of the input str e am; and 

transmit the copy of th e input str e am to th e first n e twork d e vic e if an 
attack on th e computer n e twork is not d e t e ct e d . 



a computer readable medium; 

a network interface for receiving an input stream destined for a first network 



a state machine comprising instructions stored upon the computer readable 



maintain the current state; 

r e p e at th e following for e ach character of th e plurality of characters; 
select a first character of the input stream as the current character; and 
compare a curr e nt character the current character and the current state 
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14. (Currently Amended) A logic for using a binary state machine for processing 
a data stream in an intrusion detection system, the logic embodied in a computer-readable 
medium and operable to: 

maintain a state table, the state table indexed such that inputs comprising a current 
state and a current character yield an output of a new state, the new state related to an 
indication of an attack on a computer network; 

maintain the current state; 

receive an input stream destined for a first network device to be protected by the 
intrusion detection system, at a binary stat e machin e prior to b e ing buffer e d at a first network 
devic e , the input stream received at the logic prior to reaching the first network device and 
comprising a plurality of characters , wherein the first network device is operable to make a 
decision according to a program transmitt e d by a s e cond n e twork d e vic e; 

stor e a copy of the input stream at a network int e rfac e dispos e d b e tw e en th e first 
n e twork d e vic e and th e s e cond n e twork d e vic e ; 

r e peat th e following for e ach charact e r of th e plurality of character s ; 

select a first character of the input stream as the current character; and K 

compare a current character the current character and the current state to the state 
table to generate a new state. ; and 

discard th e first charact e r b e for e s e l e cting a n e xt charact e r of th e input str e am; and 

transmit tho copy of th e input str e am to th e first network d e vic e if an attack on th e 
computer n e twork is not d e t e ct e d 

15. (Previously Presented) The logic of Claim 14, further operable to initialize the 
current state to an initial state. 



16. (Previously Presented) The logic of Claim 14, further operable to: 
set the current state equal to the new state; 

select a next character as the current character, the next character appearing 
subsequent to the first character in the input stream; and 
repeat the comparing step. 
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17. (Previously Presented) The logic of Claim 14, further operable to recognize 
the new state as indicative of an attack upon the computer network. 



18. (Canceled). 



19. (Previously Presented) The logic of Claim 14, further operable to generate the 
state table from a REGEX command. 
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20. (Previously Presented) An intrusion detection system, comprising: 

means for maintaining a state table, the state table indexed such that inputs 
comprising a current state and a current character yield an output of a new state, the new state 
related to an indication of an attack on a computer network; 

means for maintaining the current state; 

means for receiving an input stream destined for a first network device to be protected 
by the intrusion detection system, prior to being buff e r e d at a first n e twork device, the input 
stream received at the means for receiving the input stream prior to reaching the first network 
device and comprising a plurality of characters , wherein the first network device is operable 
to execute a program transmitt e d by a s e cond network devic e; 

moans for storing a copy of th e input stream, th e m e ans for storing dispos e d b e tw ee n 
th e first n e twork device and th e s e cond network devic e ; 

means for selecting a first character of the input stream as the current character; and 

means for comparing a curr e nt charact e r the current character and the current state to 
the state table to generate a new state ; and 

means for discarding th e first charact e r b e for e s e l e cting a n e xt character of th e input 
stream; and 

means for transmitting the copy of the input stream to the first network device if an 
attack on the computer network is not detected. 

21. The method of Claim 1, and further comprising: 
setting the current state equal to the new state; 

selecting a next character as the current character, the next character appearing 
subsequent to the first character in the input stream; 
repeating the comparing step; and 

wherein the first character and the next character are each selected and compared only 



once. 
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